From: Sebastian Poehn <sebastian.poehn@googlemail.com>
To: Eliezer Croitoru <eliezer@ngtech.co.il>
Cc: jengelh@inai.de, netfilter@vger.kernel.org
Subject: Re: How to use TROXY target only for specific outgoing interface
Date: Mon, 14 Jan 2013 20:12:15 +0100 [thread overview]
Message-ID: <1358190735.2257.12.camel@localhost.localdomain> (raw)
In-Reply-To: <50F33624.3010208@ngtech.co.il>
I've drawn a new picture. We want to connect from Node 1 to the 'internet'. All traffic via wan1 shall be proxied, traffic over lan1 not.
The only valid match for this situation is the outgoing interface ( oif == wan1 do proxy, else no proxy). It is not possible to match for
dst networks, as routing metrics may change and so even the use of wan1 or wan2 (for the uplink).
I can not -A POSTROUTING -o wan1 -j TPROXY as TPROXY must be called in PREROUTING (there -o is not present).
internet
____________________________________
A A
|wan1 |wan2
| |
######### ######### #########
#ROUTER1# lan1 #ROUTER2# lan3 #ROUTER3#
# + #<----># #<----># #
#TPROXY # igp # # igp # #
######### ######### #########
|
| lan2
|
#########
# NODE 1#
# #
# #
#########
On Mon, 2013-01-14 at 00:33 +0200, Eliezer Croitoru wrote:
> If you would give an ip example rather then a sketch I think I have an
> idea on how to do it using some local routing daemon on the router machine.
>
> Another thing to notice is that if you are using tproxy it should be
> used based on a known network data or globally with specific exceptions.
> else then these situation you will need to plan some iptables structure
> to fit maybe ipset or any other way of organizing the dynamic tproxy rules.
>
> Eliezer
>
> On 1/13/2013 6:39 PM, Sebastian Poehn wrote:
> > For a simple setup this is more than sufficient. But I want to realize
> > something with dynamic routing. So to clarify:
> >
> > ospf lan1 ############
> > local3 <----> local1 <-------# ROUTER # wan
> > # + #-------------> internet
> > local2 <-------# TPROXY #
> > lan2 ############
> >
> > For me it's not possible to even know every subnet which is on the local
> > side. It would even be possible that there is a multi-homed environment
> > with e.g. local3 connected to the internet, too. (Thank means that even
> > a non-local destination could go from local2, via lan2, lan1, local1 and
> > local3 to the "internet" ).
> >
> > Thank for your reply Jan
next prev parent reply other threads:[~2013-01-14 19:12 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-13 8:54 How to use TROXY target only for specific outgoing interface Sebastian Poehn
2013-01-13 11:30 ` Jan Engelhardt
2013-01-13 16:39 ` Sebastian Poehn
2013-01-13 22:33 ` Eliezer Croitoru
2013-01-14 19:12 ` Sebastian Poehn [this message]
2013-01-15 12:02 ` Eliezer Croitoru
2013-01-15 18:37 ` Sebastian Poehn
2013-01-15 18:54 ` Eliezer Croitoru
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1358190735.2257.12.camel@localhost.localdomain \
--to=sebastian.poehn@googlemail.com \
--cc=eliezer@ngtech.co.il \
--cc=jengelh@inai.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox